Configuring a Password Expiration Policy in Existing Domain (Change Password Policy Settings):
Open the Active Directory Users and Computers snap in while logged in to the domain controller as an administrator.
Choose the Password Policy key, and change settings to as appropriate for your environment.
Go back up a level and then select the Account Lockout Policy key, and change settings as appropriate for your environment.
Your password change policy is now active in the domain, and will affect all user objects that are not set explicitly with "do not expire password".
A WORD OF CAUTION IN EXISTING DOMAINS: Keep in mind that once you enable the password expiration policy in an existing domain, you run the risk of immediately expiring all user passwords that have not been set with "do not expire password" on their account properties. This can cause a huge support nightmare. Before you enable the password expiration policy be sure to go through AD and set all staff user accounts with "do not expire password" under the "account" tab of the user properties. Then you can safely enable the above policies without affecting users.
Use a good pre planning and expiration reminder tool! Get something like Password Reminder PRO from SysOp Tools (http:/www.sysoptools.com) which will automatically send a reminder email to expiring password users and let them know when their password will expire, and will also allow you to clean up your AD before policy deployment. It is a great inexpensive tool that will save you a lot of work!
Use a good use support tool to reduce help desk load! The first two password change periods for users carry the highest support overhead as users get used to changing their password and creating a complex password. Any tools you can give them to make life easier will result in lower support calls and happier users / IT staff.
Typically, deploying an easily accessible web-based self service solution which allows users to self change password, self reset password or self unlock account is a great way to go. Look at something easy to deploy and inexpensive like Password Reset PRO from SysOp Tools.
A domain password is very important for user because it secured your information. After expiring your domain name password you should renew. A password must be initially assigned to a user when enrolled on the system. You should manage your password before expire.
Enforce Password History
password replication policy
Password Replication Policy
Login as a administrator. open group policy and configure possword policy.
Kerberos Policy: first sentence on page162
Seven Characters long.
Kerberos Policy. This is found under: +Computer Configuration +Windows Settings +Security Settings +Account Policies +Kerberos Policies
you can use combination of six policiesConfiguring Password Policy Settings in an Active Directory-Based DomainYou must be logged on as a member of the Domain Admins group.To implement password policies on network computers belonging to an Active Directory domain:1. Navigate to the Control Panel (Start }Settings } Control Panel) and open the `Administrative Tools'.2. Open the `Active Directory Users and Computers'. Right click on the root container of the domain and select Properties.3. In the properties dialog, click on the Group Policytab. Then click on New to create a new Group Policy Object (GPO) in the root container.4. Specify the name of the new group policy (for example, "Domain Policy") and then click on Close.NOTE: Microsoft recommends that you create a new Group Policy Object rather than editing the default policy (called `Default Domain Policy'). This makes it much easier to recover from serious problems with security settings. If the new security settings create problems, you can temporarily disable the new Group Policy Object until you isolate the settings that caused the problems.5. Right click on the root container of your domain and select Properties. This will bring up again the Domain Properties dialog.6. Click on the Group Policy tab, and select the new Group Policy Object Link that you have just created (for example, `Domain Policy').7. Click on Up to move the new GPO to the top of the list, and then click on Edit to open the Group Policy Object Editor.8. Expand the Computer Configuration node and navigate to Windows Settings } Security Settings }Account Policies } Password Policy folder.9. From the right pane, double-click on the `Enforce password history' policy. Then select the `Define this policy setting' option, and set the `Keep password history'value to `24'.10. Click on the OK button to close the dialog.11. From the right pane, this time double-click on the `Maximum password age' policy. Then select the `Define this policy setting' option and set the `Password will expire' value to 42 days.12. Click on OK to close the properties dialog.13. From the right pane, double-click on the `Minimum password age' policy. Then select the 'Define this policy setting' option and set the `Password can be changed after:' value to `2'.14. Click on the OK button to close the dialog.15. From the right pane, double-click on the `Minimum password length' policy. Then select the `Define this policy setting' option and set the value of the `Password must be at least:' entry field to `8'.16. Click on the OK button to close the dialog.17. From the right pane, double-click on the `Password must meet complexity requirements' policy. Then enable the `Define this policy setting in the template' option, and select `Enabled'.18. Click on the OK button to close the dialog.
Microsoft recommends that access control to computer resources be administered by using groups. In this way, many users that have similar needs for resources can be dropped into a group that has the correct permissions already configured instead of individually modifying each user account. Group permissions to access resources are configured using group policy. A policy usually addresses one very specific aspect of a system's configuration. There are many policies that can be configured for a group to control system access and behavior. Local group policy addresses only users who are physically logging into one particular machine such as the server itself or a stand alone operating system. To log into a machine locally, a user must create a unique ID/Password pair that authenticates the local user to the local physical system. Once authenticated to the local physical machine, group policy according to which local group the user is assigned is initiated. Domain authentication as well as domain group policy is maintained centrally by the server for the domain. Even if a user has configured a local ID/Password pair for their local physical computer, a different and unique ID/Password pair is created to log onto the domain. When a domain user is created, they also must be assigned to a domain group. Once the server for the domain authenticates the domain user, the policy for the domain group the user belongs to is initiated. These policies are centrally administered by the domain administrator instead of each computer in the domain being configured separately for each user. Domain group policy can be configured to control access and behavior for any resource on the entire domain including resources on client computers. Local group policy can only control what is on the local machine at which a user is sitting. Finally, domain group policy supersedes any local group policy.
Group Policy Object Editor
The container in this question is "Users" theObjectsare inside the Container.They are as follows:Administrator, Allowed RODC Password Replication Group, Cert Publishers, Denied RODC Password Replication Group,, DnsAdmins, DnsUpdateProxy, Domain Admins, Domain Computers, Domain Controllers, Domain Guests, Domain Users, Enterprise Admins, Enterprise Read-only Domain Controllers, Group Policy Creator Owners, Guest, RAS and IAS Servers, read-only Domain Controllers, Schema Admins (either Student99 or your ITT Student number)
Default Domain Policy and Default Domain Controller Policy